For years there has been a general belief in the Zeitgeist that macOS systems are immune to malware. While MacOS has a reputation for being secure, macOS malware has been trending up in recent years with the emergence of Silver Sparrow, KeRanger, and Atomic Stealer, among others. Recently, Cado Security has identified a malware-as-a-service (MaaS) targeting macOS users named “Cthulhu Stealer”. This blog will explore the functionality of this malware and provide insight into how its operators carry out their activities.
File details:
Language: Go
Not Signed
Stripped
Multiarch: x86_64 and arm
Figure 1: Screenshot of disk image when mounted
Cthulhu Stealer is an Apple disk image (DMG) that is bundled with two binaries, depending on the architecture. The malware is written in GoLang and disguises itself as legitimate software. Once the user mounts the dmg, the user is prompted to open the software. After opening the file, osascript, the macOS command-line tool for running AppleScript and JavaScript is used to prompt the user for their password.
Figure 2: Password Prompt
Figure 3: Osascript prompting user for password
Once the user enters their password, a second prompt requests the user’s MetaMask password. A directory is created in ‘/Users/Shared/NW’ with the credentials stored in textfiles. Chainbreak is used to dump Keychain passwords and stores the details in Keychain.txt.
Figure 4: Password prompt for MetaMask
Figure 5: Directory /Users/Shared/NW with created files
A zip archive containing the stolen data is created in: /Users/Shared/NW/[CountryCode]Cthulhu_Mac_OS_[date]_[time].zip. Additionally, a notification is sent to the C2, to alert to new logs. The malware fingerprints the victim’s system, gathering information including IP, with IP details that are retrieved from ipinfo.io. System information including system name, OS version, hardware and software information are also gathered and stored in a text file, shown in Figure 7 and 8.
Figure 6: Parsed IP Details
Figure 7: Contents of ‘Userinfo.txt’
Figure 8: Part of the function saving system information to text file
Figure 9: Alert of Log that is sent to operators
Cthulhu Stealer impersonates disk images of legitimate software that include:
The main functionality of Cthulhu Stealer is to steal credentials and cryptocurrency wallets from various stores, including game accounts. Shown in Figure 10, there are multiple checker functions that check in the installation folders of targeted file stores, typically in “Library/Application Support/[file store]”. A directory is created in /Users/Shared/NW and the contents of the installation folder are dumped into text files for each store.
Figure 10: “Checker” functions being called in main function
Figure 11: Function BattleNetChecker
A list of stores Cthulhu Stealer steals from is shown in Table 1.
Table 1: List of stolen data
Browser Cookies |
Coinbase Wallet |
Chrome Extension Wallets |
Telegram Tdata account information |
Minecraft user information |
Wasabi Wallet |
MetaMask Wallet |
Keychain Passwords |
SafeStorage Passwords |
Battlenet game, cache and log data |
Firefox Cookies |
Daedalus Wallet |
Electrum Wallet |
Atomic Wallet |
Binanace Wallet |
Harmony Wallet |
Electrum Wallet |
Enjin Wallet |
Hoo Wallet |
Dapper Wallet |
Coinomi Wallet |
Trust Wallet |
Blockchain Wallet |
XDeFI Wallet |
Atomic Stealer is an infostealer that targets macOS written in Go that was first identified in 2023. Atomic Stealer steals crypto wallets, browser credentials, and keychain. The stealer is sold on Telegram to affiliates for $1000 per month. The functionality and features of Cthulhu Stealer are very similar to Atomic Stealer, indicating the developer of Cthulhu Stealer probably took Atomic Stealer and modified the code. The use of osascript to prompt the user for their password is similar in Atomic Stealer and Cthulhu, even including the same spelling mistakes.
The developers and affiliates of Cthulhu Stealer operate as “Cthulhu Team” using Telegram for communications. The stealer appears to be being rented out to individuals for $500/month, with the main developer paying out a percentage of earnings to affiliates based on their deployment. Each affiliate of the stealer is responsible for the deployment of the malware. Cado has found Cthulhu stealer sold on two well-known malware marketplaces which are used for communication, arbitration and advertising of the stealer, along with Telegram. The user “Cthulhu” (also known as Balaclavv), first started advertising Cthulhu in at the end of 2023 and appeared to be operating for the first few months of 2024.
Various affiliates of the stealer started lodging complaints against Cthulhu in 2024 with regards to payments not being received. Users complained that Cthulhu had stolen money that was owed to them and accused him of being a scammer or participating in an exit scam. As a result, he received a permanent ban from the marketplace.
Figure 12: Screenshot of an arbitration an affiliate lodged against Cthulhu
In conclusion, while macOS has long been considered a secure system, the existence of malware targeting Mac users remains an increasing security concern. Although Cthulhu Team is seemingly no longer active, this serves as a reminder that Apple users are not immune to cyber threats. It’s crucial to remain vigilant and exercise caution, particularly when installing software from unofficial sources.
To protect yourself from potential threats, always download software from trusted sources, such as the Apple App Store or the official websites of reputable developers. Enable macOS’s built-in security features such as Gatekeeper, which helps prevent the installation of unverified apps. Keep your system and applications up to date with the latest security patches. Additionally, consider using reputable antivirus software to provide an extra layer of protection.
By staying informed and taking proactive steps, you can significantly reduce the risk of falling victim to Mac malware and ensure your system remains secure.
Filename |
sha256 |
Launch.dmg |
6483094f7784c424891644a85d5535688c8969666e16a194d397dc66779b0b12 |
GTAIV_EarlyAccess_MACOS_Release.dmg |
e3f1e91de8af95cd56ec95737669c3512f90cecbc6696579ae2be349e30327a7 |
AdobeGenP.dmg |
f79b7cbc653696af0dbd867c0a5d47698bcfc05f63b665ad48018d2610b7e97b |
Setup2024.dmg |
de33b7fb6f3d77101f81822c58540c87bd7323896913130268b9ce24f8c61e24 |
CleanMyMac.dmg |
96f80fef3323e5bc0ce067cd7a93b9739174e29f786b09357125550a033b0288 |
Network Indicators |
89[.]208.103.185 |
89[.]208.103.185:4000/autocheckbytes |
89[.]208.103.185:4000/notification_archive |
Technique Name |
ID |
User Execution |
T1204 |
Command and Scripting Interpreter: Apple Script |
T1059.002 |
Credentials From Password Stores |
T1555 |
Credentials From Password Stores: Keychain |
T1555.001 |
Credentials From Password Stores: Credentials From Web Browser |
T1555.003 |
Account Discovery |
T1087 |
System Information Discovery |
T1082 |
Data Staged |
T1074 |
Data From Local System |
T1005 |
Exfiltration Over C2 Channel |
T1041 |
Financial Theft |
T1649 |
rule MacoOS_CthulhuStealer { |
/Users/Shared/NW